EXYN TECHNOLOGIES, INC.

AND ITS SUBSIDIARY, RANGE

DATA PRIVACY POLICY

Effective Date: April 9, 2026

1. Introduction

Exyn Technologies, Inc. and its subsidiary, Range (collectively referred to as “Exyn,” “Range,” “we,” “us,” or “our”), are committed to protecting the privacy and security of the personal data entrusted to us by our customers, partners, website visitors, and other stakeholders.

This Data Privacy Policy (“Policy”) describes how we collect, use, disclose, retain, and protect personal information when you visit our websites (exyn.com, and any Range-branded websites), use our products and services, or otherwise interact with us.

This Policy is designed to comply with applicable data protection laws, including but not limited to: the General Data Protection Regulation (EU) 2016/679 (“GDPR”); the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA/CPRA”); and other applicable U.S. federal and state privacy laws.

2. Scope

This Policy applies to all personal information collected through our websites, applications, products, services, and any offline interactions such as trade shows, events, or direct communications. It applies to:

Visitors to our websites and online platforms
Business customers, prospects, and partners (B2B contacts)
Users of our products and services, including autonomous robotics platforms
Individuals who communicate with us via email, phone, or other channels
Job applicants and employees (to the extent not covered by a separate employee privacy notice)

3. Information We Collect

3.1 Information You Provide Directly

Contact information: name, email address, phone number, company name, job title, and mailing address
Account information: login credentials, user preferences, and profile data
Transaction and billing information: purchase orders, invoices, payment method details (processed by third-party payment processors), and shipping addresses
Communications: inquiries, support requests, feedback, and correspondence submitted through forms, emails, or other channels
Event and marketing information: registration details for webinars, trade shows, and other events

3.2 Information Collected Automatically

Device and browser information: IP address, device type, operating system, browser type and version, screen resolution, and language preferences
Usage data: pages visited, links clicked, time spent on pages, referring URLs, and navigation paths
Cookies and similar technologies: cookies, web beacons, pixels, local storage, and similar tracking technologies (see Section 10 for details)
Log data: server logs, error reports, and access timestamps
Geolocation data: approximate geographic location derived from IP address

3.3 Information from Third Parties

Business partners and resellers who refer or transact on your behalf
Publicly available business databases and directories
Analytics providers, advertising networks, and marketing platforms
Social media platforms when you interact with our social media pages or log in through social authentication

4. How We Use Your Information

We process personal information for the following purposes:

To provide, maintain, and improve our products and services, including autonomous robotic mapping and software platforms
To process transactions, manage accounts, and fulfill contractual obligations
To communicate with you, including responding to inquiries, providing customer support, and sending service-related notifications
To send marketing and promotional communications (where you have opted in or where permitted by law)
To personalize your experience and provide content relevant to your interests
To conduct analytics and research to improve our websites, products, and services
To detect, prevent, and address fraud, security threats, and technical issues
To comply with legal obligations, enforce our terms, and protect our rights and the rights of others
To facilitate business transactions such as mergers, acquisitions, or asset sales

5. Legal Bases for Processing (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom (UK), or Switzerland, we rely on the following legal bases under the GDPR to process your personal data:

Legal Basis	Description
Contractual Necessity	Processing necessary to perform our contract with you or to take pre-contractual steps at your request (e.g., fulfilling orders, managing accounts).
Legitimate Interests	Processing necessary for our legitimate business interests, such as marketing to existing customers, improving our services, fraud prevention, and network security, where these interests are not overridden by your fundamental rights.
Consent	Where you have given clear, affirmative consent for a specific processing activity (e.g., subscribing to newsletters, accepting non-essential cookies). You may withdraw consent at any time.
Legal Obligation	Processing necessary to comply with applicable laws, regulations, court orders, or governmental requests.

6. Disclosure of Information

We may share your personal information with the following categories of recipients:

Service providers and processors: Third parties who assist us in operating our websites, processing payments, delivering products, conducting analytics, sending emails, and providing customer support. These providers are contractually obligated to protect your data and may only process it on our behalf.
Business partners and resellers: Trusted partners involved in the delivery of products and services to you, subject to appropriate data protection agreements.
Affiliates and subsidiaries: Exyn Technologies, Inc. and Range may share personal information between them for the purposes described in this Policy.
Legal and regulatory authorities: When required by law, regulation, legal process, or enforceable governmental request, or to protect the rights, property, or safety of Exyn, our customers, or the public.
Business transfers: In connection with a merger, acquisition, reorganization, sale of assets, or bankruptcy, your personal information may be transferred to the acquiring entity.

We do not sell personal information as defined under the CCPA/CPRA. We do not share personal information for cross-context behavioral advertising purposes unless you have provided opt-in consent.

7. Your Privacy Rights

7.1 Rights Under the GDPR (EEA, UK, and Switzerland)

If you are located in the EEA, UK, or Switzerland, you have the following rights regarding your personal data:

Right of access: request a copy of the personal data we hold about you
Right to rectification: request correction of inaccurate or incomplete data
Right to erasure: request deletion of your personal data, subject to certain exceptions
Right to restriction of processing: request that we limit how we process your data
Right to data portability: receive your data in a structured, commonly used, machine-readable format
Right to object: object to processing based on legitimate interests or for direct marketing
Right to withdraw consent: where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing
Right to lodge a complaint: file a complaint with your local data protection authority

7.2 Rights Under the CCPA/CPRA (California Residents)

If you are a California resident, you have the following rights under the CCPA/CPRA:

Right to know: request disclosure of the categories and specific pieces of personal information we have collected, the sources of collection, the purposes for collection, and the categories of third parties with whom we have shared your information
Right to delete: request deletion of your personal information, subject to certain exceptions
Right to correct: request correction of inaccurate personal information
Right to opt out of sale or sharing: direct us not to sell or share your personal information for cross-context behavioral advertising. We do not currently sell personal information.
Right to limit use of sensitive personal information: if applicable, you may limit our use of sensitive personal information to purposes necessary to provide the services you have requested
Right to non-discrimination: we will not discriminate against you for exercising any of your privacy rights

We honor Global Privacy Control (GPC) signals and other opt-out preference signals as valid requests to opt out of the sale or sharing of personal information, as required by applicable law.

7.3 Rights Under Other U.S. State Privacy Laws

Residents of states with comprehensive privacy legislation (including but not limited to Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and others) may have similar rights to access, correct, delete, and opt out of certain processing. We will honor valid requests in accordance with applicable state law.

7.4 How to Exercise Your Rights

To submit a privacy request, please contact us using the information provided in Section 16 below. We will verify your identity before processing your request using reasonable methods such as matching the information you provide with the records we maintain. Authorized agents may submit requests on your behalf with proper verification.

We will respond to verifiable requests within the timeframes required by applicable law (generally within 30 days under GDPR and 45 days under CCPA/CPRA, subject to permitted extensions).

8. Data Retention

We retain personal information only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, accounting, contractual, or reporting requirements.

Retention periods are determined based on:

The nature and sensitivity of the data
The purposes for which we process the data
Applicable legal, regulatory, and contractual requirements
The potential risk of harm from unauthorized use or disclosure

When personal information is no longer required, we will securely delete or anonymize it in accordance with our data retention schedule and applicable law.

9. Data Security

We implement appropriate technical and organizational measures to protect personal information against unauthorized access, alteration, disclosure, or destruction. These measures include, but are not limited to:

Encryption of personal data in transit (TLS/SSL) and at rest where appropriate
Access controls and authentication mechanisms to limit access to authorized personnel
Regular security assessments, vulnerability scanning, and penetration testing
Employee training on data protection and information security best practices
Incident response procedures to address potential data breaches promptly

No method of transmission or storage is completely secure. While we strive to use commercially acceptable means to protect your personal information, we cannot guarantee absolute security.

10. Cookies and Tracking Technologies

Our websites use cookies and similar technologies to enhance your browsing experience, analyze website traffic, and personalize content. The types of cookies we use include:

Cookie Type	Purpose	Legal Basis
Strictly Necessary	Essential for website functionality (e.g., security, session management)	Legitimate interest / Contractual necessity
Performance / Analytics	Collect anonymized data about website usage to improve performance and content	Consent
Functional	Remember your preferences, language, and settings for a personalized experience	Consent
Marketing / Targeting	Deliver relevant advertisements and measure campaign effectiveness	Consent

You can manage your cookie preferences through our cookie consent banner displayed upon your first visit, or by adjusting your browser settings. Please note that disabling certain cookies may affect the functionality of our websites.

We honor Do Not Track (DNT) browser signals and Global Privacy Control (GPC) signals as opt-out requests in jurisdictions where required by law.

11. International Data Transfers

Exyn Technologies, Inc. and Range are headquartered in the United States. If you are located outside the United States, your personal information may be transferred to, stored, and processed in the United States or other countries where our service providers operate.

For transfers of personal data from the EEA, UK, or Switzerland to the United States or other countries not deemed to provide an adequate level of data protection, we rely on appropriate safeguards, including:

Standard Contractual Clauses (SCCs) adopted by the European Commission
UK International Data Transfer Agreement or UK Addendum to the EU SCCs, as applicable
Supplementary measures, including technical and organizational safeguards, as appropriate based on transfer impact assessments
The EU-U.S. Data Privacy Framework, UK Extension, and Swiss-U.S. Data Privacy Framework, to the extent applicable and certified

You may request a copy of the safeguards we use for international transfers by contacting us at the address provided in Section 16.

12. Automated Decision-Making and Profiling

Exyn and Range do not currently engage in automated decision-making or profiling that produces legal effects or similarly significant effects on individuals, as described under Article 22 of the GDPR. If we introduce such processing in the future, we will update this Policy and provide you with meaningful information about the logic involved, the significance of such processing, and the envisaged consequences.

We may use automated tools for analytics, fraud detection, and service optimization. These tools assist our personnel in making decisions but do not make decisions with legal or similarly significant effects without human review.

13. Children’s Privacy

Our websites and services are not directed at individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal data from a child, we will take steps to delete such information promptly. If you believe that a child has provided us with personal information, please contact us using the information in Section 16.

14. Third-Party Links and Services

Our websites may contain links to third-party websites, applications, or services that are not operated or controlled by Exyn or Range. This Policy does not apply to such third-party services. We encourage you to review the privacy policies of any third-party services you access through our websites.

15. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices, applicable laws, or regulatory guidance. When we make material changes, we will notify you by posting the updated Policy on our websites with a revised effective date. We may also provide additional notice, such as email notification, for significant changes. We encourage you to review this Policy periodically.

16. Contact Us

If you have questions, concerns, or requests regarding this Data Privacy Policy or our data practices, please contact us:

Exyn Technologies, Inc.

Attn: Privacy Team

Email: privacy@exyn.com

Website: www.exyn.com

Physical Address: 2118 Washington Ave Suite 1000 Philadelphia, PA 19146

For data subjects located in the EEA, UK, or Switzerland, you may also contact your local data protection authority to lodge a complaint if you believe your rights have been violated.

For California residents, you may also submit a privacy request through the “Do Not Sell or Share My Personal Information” link on our website, if applicable.

Appendix A: California-Specific Disclosures (CCPA/CPRA)

The following disclosures are provided in accordance with the CCPA/CPRA for California residents. This appendix supplements the main body of this Policy.

Categories of Personal Information Collected in the Past 12 Months

CCPA Category	Examples	Source
Identifiers	Name, email, phone, company name, IP address	Directly from you; automatic collection
Commercial Information	Purchase history, transaction records, billing information	Directly from you; service providers
Internet / Electronic Activity	Browsing history, search history, interactions with our website	Automatic collection
Geolocation Data	Approximate location from IP address	Automatic collection
Professional / Employment Information	Job title, company, professional background	Directly from you; business partners
Inferences	Preferences, characteristics, and interests derived from collected data	Internal analysis

Sale and Sharing of Personal Information

Exyn and Range do not sell personal information as defined under the CCPA/CPRA. We do not share personal information for cross-context behavioral advertising unless you have provided opt-in consent.

Sensitive Personal Information

We do not collect or process sensitive personal information as defined under the CCPA/CPRA (e.g., Social Security numbers, financial account credentials, precise geolocation, racial or ethnic origin, or biometric information) beyond what is necessary to provide our products and services.

Retention Periods by Category

Category	Retention Period
Identifiers	Duration of business relationship plus 3 years, or as required by law
Commercial Information	Duration of business relationship plus 7 years (tax and audit requirements)
Internet / Electronic Activity	Up to 26 months from collection (analytics); session-based for strictly necessary cookies
Geolocation Data	Up to 26 months from collection (tied to analytics data)
Professional / Employment Information	Duration of business relationship plus 3 years
Inferences	Retained only as long as the underlying data is retained; deleted or anonymized thereafter

Financial Incentive Programs

We do not offer financial incentive programs tied to the collection, retention, or sale of personal information.